{"id":795,"date":"2013-02-28T15:57:47","date_gmt":"2013-02-28T23:57:47","guid":{"rendered":"http:\/\/e-olio.com\/cknow\/cms\/?p=795"},"modified":"2013-04-16T13:23:56","modified_gmt":"2013-04-16T20:23:56","slug":"companion-files","status":"publish","type":"post","link":"https:\/\/www.cknow.com\/cms\/vtutor\/companion-files.html","title":{"rendered":"Companion Files"},"content":{"rendered":"

Companion viruses make use of a DOS quirk that runs COM files before EXE files. The virus infects EXE files by installing a same-named COM file.<\/strong><\/p>\n<\/div>Would you believe that a virus can infect your files without changing a single byte in the infected file? Well, it’s true; two different ways in fact! The more common of the two ways is called the companion or spawning virus (the other is a cluster virus<\/a>). The companion virus infects your files by locating all files with names ending in EXE. The virus then creates a matching file name ending in COM that contains the viral code.<\/p>\n

Here’s what happens: Let’s say a companion virus is executing on your PC and decides it’s time to infect a file. It looks around and happens to find a file called PGM.EXE. It now creates a file called PGM.COM containing the virus. The virus usually plants this file in the same directory as the .EXE file but it could place it in any directory on your DOS path. If you type PGM and hit enter, DOS will execute PGM.COM instead of PGM.EXE. (In order, DOS will execute COM, then EXE, then BAT files of the same root name, if they are all in the same directory.) The virus executes, possibly infecting more files and then loads and executes PGM.EXE. The user probably won’t notice anything wrong.<\/p>\n

This type of virus is fairly easy to detect by the presence of the extra COM files. Sometimes the virus attempts to hide the extra files by either placing them into a different directory (but one on the PATH) or gives them a hidden attribute so a normal DIR command will not show them. And, of course, when the virus is active in memory it can effectively hide the COM files as well (but, unlike many viruses, a companion infector need not remain in memory to do its work).<\/p>\n

A good integrity map of what should be on the hard disk can be used to easily detect and clean companion viruses.<\/p>\n

Note:<\/strong> There are some instances where it is normal to have both COM and EXE files of the same name (such as DOS 5’s DOSSHELL) but this is relatively rare. When this is the case, the companion virus will usually not change the existing COM file (although some are sloppy and will).<\/p>\n

Companion viruses were never particularly common and under Windows where specific files are associated with icons you likely won’t see them.<\/p>\n

Summary<\/h4>\n